A case for a more secure Facebook

This past week, a few of us at the office logged into Facebook to discover our accounts had been locked. A few months ago, this would have been a bigger issue for us, but this week the two times we were all locked out were mild annoyances and an opportunity to change our passwords.

The reason our accounts were locked weren’t apparently clear. Facebook blamed “a cybercriminal”, but speaking for myself, I knew I used a very secure password and even if someone had managed to crack it, it was unlikely they’d have been able to crack the rest of our accounts simultaneously (twice, no less). Eventually, we were able to narrow it down to one of our pages sharing politically controversial content, which was being reported as malicious by people who didn’t agree with the content.

But despite the fact that our passwords were safe the whole time, we all had to change our passwords (twice) and before we knew what was going on, there was some tension that someone had actually gained access to our accounts. So it brings up a good opportunity for me to discuss something I’ve wanted to talk about for a while.

Secure passwords aren’t cool. You know what’s cool? RSA Tokens.

RSA SecurID tokens are keychain-sized devices that can add physical security to a web-based authentication system. Here’s how they work: each user is given a unique token which is bound to their account. Using a special mathematical function of the current time and a random, unique-per-token “seed” value, a sequence of numbers is generated that the user can use to log in. The sequence expires after a short amount of time (but a new one can be generated quickly). Since the authentication server knows which fob belongs to which user, it can use the same mathematical function to verify that the user attempting to log in has access to that account.

This is, in computer security lingo, a two-factor authentication scheme. The obvious benefit is that by requiring a SecurID to log in, a user can’t simply guess (or even know) your password; he has to have physical access to your fob or access to the server which knows about your fob. This protects against even the most insecure passwords: even if a hacker knows your password cold, he has to guess a six (or eight) digit sequence within the right time period too. Conversely, if you lose your token, no one would be able to log in as you (or, theoretically, know who you even are) without knowing your password.

There are some downsides to this approach, though, the biggest one is that it adds another step to log in, which is a hassle for users who aren’t concerned about the security of their Facebook accounts (and there are some accounts worth more than others). For this reason, two-factor authentication should always be optional, but encouraged. Many users also click “Remember me” when they log in, and I’d reconcile the desire for more security with the desire for convenience by remembering the user’s password, but making them entire a new sequence from their fob periodically.

Another hairy issue is what to do if a user loses or loses control of their fob. A few years ago I logged into my Battle.net account to find that someone had hacked into my account and added a SecurID token (Blizzard calls it a “Battle.net authenticator”) to it. I couldn’t log in anymore because I didn’t have access to the fob, so it was a long process to prove to Blizzard that I owned the account and that they should remove the fob. To an extent, this is an unpreventable problem: the more discriminate the security, the better the chance is that you’ll be falsely discriminated. However, you can alleviate the risk somewhat by adding backup fobs to your account. The key chain is the most convenient, but you can also do this via SMS text message, a smartphone app or even an e-mail. (In fact, Facebook already allows for two-factor authentication via text message.) Basically, you just add multiple RSA generators to your account (a SecurID token and an iPhone app, for example, which are both unique) and any one code can get you in. In fact, if getting locked out of your Facebook account for any length of time is a problem for you, you’d absolutely need the ability to add multiple key generators (and the ability to remove compromised ones).

It’s also worth mentioning that the security of the SecurID system is mostly dependent on the security of the host server; that is, if a hacker were to gain access to Facebook’s database and learn what token is bound to your account he could theoretically gain access to your account if he also knew your password. But there are a lot of ifs there, which is sort of the point of a two-factor authentication system: adding another factor that a hacker has to contend with.

So does this completely address the problem we actually had? No. But with two-factor authentication, we could have effectively ruled out password theft: if we all had all of our tokens (or phones) on us, we could have known with pretty high probability that our accounts were safe.

Two-factor authentication isn’t exactly mainstream, but it’s not exactly the cutting edge either (as I said, Battle.net has been using them for a few years now, and many major companies have been using them for corporate security for way longer). By making this a big part of their user security strategy, Facebook could help make it more mainstream. Protecting their users’ security is in Facebook’s best interest, because it makes users feel at ease with what they share and post on the site, and it also makes their Facebook Connect/Login with Facebook product more compelling for more users. I bought my Battle.net authenticator a few years ago for $6. Since Facebook is producing these at such a high scale, and since they’re relatively cheap to make, and since, again, it’s in Facebook’s best interest to have a more secure user base, is $3 or $4 apiece out of the question? I don’t think so, and frankly, if they became available, I’d buy one immediately for five times that.